Forum Discussion

seilemor_131269's avatar
seilemor_131269
Icon for Altostratus rankAltostratus
Aug 29, 2016

SSL errno 104 through F5 (vip), directly with curl ok

Hello community,   I've the following configuration design within a virtual server configuration:   - A virtual server will route the traffic based on the hostname within the request to differen...
application delivery
iRules
LTM
seilemor_131269's avatar
seilemor_131269
Icon for Altostratus rankAltostratus

Ok - I've used the article "how to use ssldump utility" for the next steps. After performing tcpdump and ssldump I will receive the following lines:

For description:

- x.x.x.200 is the non floating IP address which execute the monitor check.

- x.x.x.201 is the floating IP address for the regular request

Within the connection of the floating IP address I see just nothing. I already used the insecude SSL server profile, too. To check the system I've also reconfigured the vip to use the non nloating IP (x.x.x.200).

New TCP connection 2: 172.21.254.200(61407) <-> 10.235.96.29(4443)
2 1  0.1926 (0.1926)  C>S  Handshake
      ClientHello
        Version 3.3
        cipher suites
        TLS_RSA_WITH_RC4_128_MD5
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_AES_128_CBC_SHA
        TLS_RSA_WITH_AES_256_CBC_SHA
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_RSA_WITH_DES_CBC_SHA
        TLS_RSA_WITH_AES_128_CBC_SHA256
        TLS_RSA_WITH_AES_256_CBC_SHA256
        Unknown value 0xc013
        Unknown value 0xc014
        Unknown value 0xc012
        Unknown value 0xff
        compression methods
                  NULL
2    0.5735 (0.3808)  S>C  TCP FIN
2    0.5736 (0.0001)  C>S  TCP RST
New TCP connection 3: 172.21.254.200(59346) <-> 10.235.96.29(4443)
3 1  0.1939 (0.1939)  C>S  Handshake
      ClientHello
        Version 3.3
        cipher suites
        TLS_RSA_WITH_RC4_128_MD5
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_AES_128_CBC_SHA
        TLS_RSA_WITH_AES_256_CBC_SHA
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_RSA_WITH_DES_CBC_SHA
        TLS_RSA_WITH_AES_128_CBC_SHA256
        TLS_RSA_WITH_AES_256_CBC_SHA256
        Unknown value 0xc013
        Unknown value 0xc014
        Unknown value 0xc012
        Unknown value 0xff
        compression methods
                  NULL
New TCP connection 4: 172.21.254.201(1978) <-> 10.235.96.29(4443)
4    0.2052 (0.2052)  C>S  TCP FIN
3    0.5759 (0.3820)  S>C  TCP FIN
3    0.5760 (0.0000)  C>S  TCP RST
4    0.5828 (0.3776)  S>C  TCP FIN
New TCP connection 5: 172.21.254.200(34721) <-> 10.235.96.29(4443)
5 1  0.1934 (0.1934)  C>S  Handshake
      ClientHello
        Version 3.3
        cipher suites
        TLS_RSA_WITH_RC4_128_MD5
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_AES_128_CBC_SHA
        TLS_RSA_WITH_AES_256_CBC_SHA
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_RSA_WITH_DES_CBC_SHA
        TLS_RSA_WITH_AES_128_CBC_SHA256
        TLS_RSA_WITH_AES_256_CBC_SHA256
        Unknown value 0xc013
        Unknown value 0xc014
        Unknown value 0xc012
        Unknown value 0xff
        compression methods
                  NULL
5    0.5740 (0.3806)  S>C  TCP FIN
5    0.5741 (0.0001)  C>S  TCP RST
New TCP connection 6: 172.21.254.200(46619) <-> 10.235.96.29(4443)
6 1  0.1980 (0.1980)  C>S  Handshake
      ClientHello
        Version 3.3
        cipher suites
        TLS_RSA_WITH_RC4_128_MD5
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_AES_128_CBC_SHA
        TLS_RSA_WITH_AES_256_CBC_SHA
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_RSA_WITH_DES_CBC_SHA
        TLS_RSA_WITH_AES_128_CBC_SHA256
        TLS_RSA_WITH_AES_256_CBC_SHA256
        Unknown value 0xc013
        Unknown value 0xc014
        Unknown value 0xc012
        Unknown value 0xff
        compression methods
                  NULL
6    0.5788 (0.3807)  S>C  TCP FIN
6    0.5789 (0.0001)  C>S  TCP RST
New TCP connection 7: 172.21.254.200(3858) <-> 10.235.96.29(4443)
7 1  0.1927 (0.1927)  C>S  Handshake
      ClientHello
        Version 3.3
        cipher suites
        TLS_RSA_WITH_RC4_128_MD5
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_AES_128_CBC_SHA
        TLS_RSA_WITH_AES_256_CBC_SHA
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_RSA_WITH_DES_CBC_SHA
        TLS_RSA_WITH_AES_128_CBC_SHA256
        TLS_RSA_WITH_AES_256_CBC_SHA256
        Unknown value 0xc013
        Unknown value 0xc014
        Unknown value 0xc012
        Unknown value 0xff
        compression methods
                  NULL
7    0.5746 (0.3818)  S>C  TCP FIN
7    0.5747 (0.0001)  C>S  TCP RST
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Aug 29, 2016

Hi Seilemor,

sorry my fault. Change the TCPDUMP filters to the example below. It will allow you to capture bidirectional traffic...

tcpdump -i YOUR_VLAN_LABEL -w /var/tmp/capture.cap host 10.235.x.x and port 4443

But anyhow. In your last capture the F5 Floating hasn't even send a Client Hello to the problematic servers. But on the other hand the F5 Floating was able to send a Client Hello (and successfully negotiate a SSL connection) to the remaining servers using the identical pool and SSL Profiles?

Thats a somewhat strange behavior... 😞

Cheers, Kai